Enable audit pipeline for ceilometer

This change adds the keystonemiddleware audit paste filter[0] and enables it for the ceilometer-api service. This provides the ability to audit API requests for ceilometer. [0] https://docs.openstack.org/keystonemiddleware/latest/audit.html Change-Id: I9d49769bc04f9623ecf5ba4276665dc3b5bebd07
2019-04-11 13:50:29 -05:00 · 2019-04-11 13:50:29 -05:00 · 4fea33dd64
commit 4fea33dd64
parent d544a556db
3 changed files with 19 additions and 1 deletions
--- a/ceilometer/templates/configmap-etc.yaml
+++ b/ceilometer/templates/configmap-etc.yaml
@ -120,6 +120,7 @@ data:
  ceilometer.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.ceilometer | b64enc }}
  api_paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
  policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
  event_pipeline.yaml: {{ toYaml .Values.conf.event_pipeline | b64enc }}
  pipeline.yaml: {{ toYaml .Values.conf.pipeline | b64enc }}
  event_definitions.yaml: {{ toYaml .Values.conf.event_definitions | b64enc }}
--- a/ceilometer/templates/deployment-api.yaml
+++ b/ceilometer/templates/deployment-api.yaml
@ -88,6 +88,10 @@ spec:
              mountPath: /etc/ceilometer/policy.json
              subPath: policy.json
              readOnly: true
+            - name: ceilometer-etc
+              mountPath: /etc/ceilometer/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
            - name: ceilometer-etc
              mountPath: /etc/ceilometer/event_definitions.yaml
              subPath: event_definitions.yaml
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -1268,6 +1268,9 @@ conf:
    'filter:authtoken':
      paste.filter_factory: 'keystonemiddleware.auth_token:filter_factory'
      oslo_config_project: 'ceilometer'
+    'filter:audit':
+      paste.filter_factory: 'keystonemiddleware.audit:filter_factory'
+      audit_map_file: '/etc/ceilometer/api_audit_map.conf'
    'filter:cors':
      oslo_config_project: 'ceilometer'
      paste.filter_factory: 'oslo_middleware.cors:filter_factory'
@ -1278,7 +1281,7 @@ conf:
      oslo_config_project: 'ceilometer'
      paste.filter_factory: 'oslo_middleware:RequestId.factory'
    'pipeline:main':
-      pipeline: cors http_proxy_to_wsgi request_id authtoken api-server
+      pipeline: cors http_proxy_to_wsgi request_id authtoken audit api-server
  polling:
    sources:
      - name: all_pollsters
@ -1387,6 +1390,16 @@ conf:
    'telemetry:get_sample': ''
    'telemetry:get_samples': ''
    'telemetry:query_sample': ''
+  audit_api_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      meters: meter_name
+      resources: resource_id
+      statistics: None
+      samples: sample_id
+    service_endpoints:
+      metering: service/metering
  wsgi_ceilometer: |
    Listen 0.0.0.0:{{ tuple "metering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}